SEC Proposes New, Formal Cybersecurity Disclosure Rules

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed a number of new rules to enhance public companies’ reporting of (i) cybersecurity incidents, (ii) their policies and procedures for identifying and managing cybersecurity risks, and (iii) the roles of their management and boards in implementing cybersecurity policies and procedures.

This proposed set of rules builds upon, and goes significantly further than, prior interpretive guidance released by the SEC staff in 2011 and by the SEC itself in 2018, in that these proposed rules would create express, mandatory disclosure obligations. The proposed rules include the addition of a new Form 8-K item to report cybersecurity incidents, a Reg. S-K item requiring periodic disclosure of cybersecurity policies and procedures and governance, and a change to Reg. S-K Item 407 requiring disclosure about a public company board’s cybersecurity expertise.

These rules, if adopted, would fundamentally change how companies treat the reporting of, management of, and responsibility and oversight for, cybersecurity incidents.

SEC Rationale for New Rules

In the proposing release, the SEC noted as a justification for proposing these new rules that cybersecurity threats and incidents pose a significant and growing threat to public companies, investors and other market participants. The SEC added that this results in increased effects on the economy and public companies. Some consequences identified by the SEC that companies may experience due to a cybersecurity incident are:

• business interruption costs, decreases in production and delays in product launches;
• payments to meet ransom and other extortion demands;
• remediation costs;
• increased cybersecurity protection costs;
• lost revenues;
• litigation and legal risk;
• harm to employees and customers, violation of privacy laws and reputational damage; and
• damage to the company’s competitiveness, stock price and long-term shareholder value.

The SEC reasoned that whether and how a company addresses cybersecurity risks could impact an investor’s return on investment, and would be information useful to an investor when making an investment decision. Therefore, the SEC believed investors would benefit from (i) timely and consistent disclosure about cybersecurity incidents, and (ii) greater availability and comparability of public companies’ disclosures of cybersecurity risk management, strategy and governance practices.

SEC Dissatisfaction With Current Practices

As part of its rationale for proposing these new rules, the SEC expressed dissatisfaction with the current disclosure practices of companies in the area of cybersecurity. The SEC noted that Form 8-K disclosure practices vary widely with respect to the treatment of cybersecurity incidents, both in terms of the disclosure of the nature of the incident and whether it is reported at all. The SEC was particularly troubled by companies that reported cybersecurity incidents to the media, but did not report such incidents in a Form 8-K. In general, the SEC believed that cybersecurity incidents are underreported.

Additionally, the SEC found that most cybersecurity risks are discussed in a company’s “Risk Factors,” where such risks are sometimes blended with other unrelated disclosures, making comparability between companies difficult. In sum, the SEC found current reporting practices insufficient in detail, not timely and difficult to locate in a public company’s filings. This informed the SEC’s goal of the new rules: to provide “consistent, comparable and decision-useful disclosures” regarding a public company’s cybersecurity risk management, strategy, governance practices and response to incidents.

Proposed Form 8-K Change

The proposed rules would create a new Item 1.05, requiring a public company to disclose the following specific information about a material cybersecurity event it experienced:

• when the incident was discovered and whether it is ongoing;
• a brief description and scope of the incident;
• whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
• the effect of the incident on the company’s operations; and
• whether the company has remediated or is currently remediating the incident.

The proposed rules would not require a company to disclose specific, technical information about the planned response to the incident or the company’s cybersecurity systems, networks and devices or potential vulnerabilities. Like all other items for which mandatory disclosure is required on Form 8-K, the occurrence of a material cybersecurity incident would have to be disclosed within four business days. This represents, for the first time, a fixed time frame for reporting a cybersecurity event. The trigger date for beginning the four-business-day period in which the incident would need to be disclosed is the date on which the company determines that a cybersecurity incident it has experienced is material. This means an incident would not necessarily be reportable on the date the company first discovers it, but rather when it determines it is material, applying traditional securities law considerations to determine materiality.

Proposed Reg. S-K Changes Regarding Cybersecurity Policies and Procedures

The proposed rules would add Item 106 to Reg. S-K, requiring new cybersecurity disclosures in Form 10-K reports and/or proxy statements. Part of this new item would require companies to disclose material changes, additions or updates to information about a cybersecurity incident reported on a Form 8-K. The purpose of this, reasoned the SEC, is to provide a means for investors to receive regular updates regarding a previously reported incident.

Proposed Item 106(b) would require public companies to provide disclosure regarding their cybersecurity risk management and strategy — that is, a public company would be required to disclose its policies and procedures to identify and manage cybersecurity risks and threats. The rules would require the company to disclose whether:

• the company has a cybersecurity risk assessment program, and if so, a description of such system;
• the company engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
• the company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider;
• the company undertakes activities to prevent, detect and minimize the effects of cybersecurity incidents;
• the company has business continuity, contingency and recovery plans in place for cybersecurity incidents;
• previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures or technologies;
• cybersecurity-related risks and incidents have affected or are likely to affect the company’s results of operations and financial condition; and
• cybersecurity risks are considered part of the company’s strategy, financial planning and capital allocation.

Proposed Reg. S-K Change Regarding Cybersecurity Governance Disclosure

The new proposed Reg. S-K Item 106 would also require disclosure (which would appear in a company’s proxy statement or Form 10-K) of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a discussion of management’s involvement. Specifically, the new rule would require the following disclosures:

  Board of Directors Involvement

• whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
• the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on the topic; and
• whether and how the board or applicable committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.

Management Involvement

• whether certain management positions or committees are responsible for measuring and managing cybersecurity risk;
• whether the company has a designated chief information security officer or someone in a comparable position;
• the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and
• whether and how frequently such persons or committees report to the full board of directors or a committee of board on cybersecurity risk.

Finally, the SEC proposed amending Item 407 of Reg. S-K (which would also appear in a company’s proxy statement or Form 10-K) to require disclosure about the cybersecurity expertise of members of the board of directors, if any. Companies would be required disclose the name of any such director and provide information regarding the nature of the director’s expertise.

What’s Next?

The proposed rules will be open for comments for 60 days, and the SEC could determine to adopt the rules as proposed, adopt the rule with revisions or abandon the rule change altogether. McGuireWoods will continue to monitor developments in this area.

For additional guidance on the information in this alert, please contact the authors, any member of McGuireWoods’ securities and compliance team or securities enforcement team, or your primary McGuireWoods contact.

McGuireWoods’ securities and compliance team assists private and public companies in capital raising efforts through private and public offerings, and also assists public companies with their reporting obligations under the Securities Exchange Act of 1934, including Forms 10-K, 10-Q and 8-K, Section 16 reports and DEF 14A (proxy statements), as well as with Regulation FD and Regulation G compliance. Team members prepare insider trading policies, develop training programs and assist with other aspects of securities transactions engaged in by company officers, directors and significant security holders, including 10b5-1 plans and Rule 144 compliance.